As DDoS attacks become larger, more frequent and complex, being able to stop them is a must. While doing this is part science, a matter of deploying technology, there is also an art to repelling sophisticated attacks.

Arbor Networks, Citrix and others make great gear, but there's no magic box that will solve all your problems for you. Human expertise will always be a crucial ingredient.

The Science

Certain attacks can be mitigated purely through automation. For example, you can set up proper access control lists on your routers, which can block connections to ports through which you have no services. (That is, you can define a list of services authorized to receive traffic, while at the same time dropping all other traffic.) Some attackers randomly try certain attack vectors, hoping to get lucky and flood your infrastructure — without investigating which type of attack might actually work best. When properly configured, your routers and firewalls will automatically drop such traffic, without it even reaching your servers. This is can be very effective and should be part of any mitigation strategy.

Equally effective are advanced AI algorithms, which are often built into routers and DDoS mitigation hardware. These algorithms can give you a picture of an attack in progress. You can also tune their settings to drop traffic when certain thresholds are met. AI algorithms do very well at handling simple attacks (SYN floods, UDP floods, etc.). The catch: Without careful tuning, they can automatically drop good traffic, defeating your goal of continuing business as usual. If your business is profiled on CNN, resulting in surging traffic, your gear may very well kick in and legitimate traffic could be blocked.

The Art

To avoid that sort of situation, you need to spend considerable time tuning your mitigation hardware, so it can tell good traffic from bad. Even this will not always be enough. These days, anyone with decent software development skills can craft attacks that zero in on key infrastructure. He or she will make educated guesses about your website: which parts feature dynamic content, possibly back-ended by a database, and even which parts might be making high-CPU/memory database calls. An attack can be easily masked to look like legitimate traffic. In fact, 10 properly designed simultaneous connections might be enough to take down a cluster! Such attacks take time and creativity to block, no matter if you have the latest mitigation hardware.

The same thing is true when a large, distributed botnet generates thousands of legitimate-looking requests. Automation alone will help you only so much. With the right expertise and hands-on experience, you can set up filters to drop bad traffic.

A Balanced Approach to Stopping Attacks

Before you lose millions in downtime, revenue and brand equity, make sure your mitigation includes both art and science. Remember, even the best technology won't excel without the right guidance. When comes to fighting DDoS attacks, you need both man and machine.

If you don't have the expertise in house, consider a third-party solution like Neustar SiteProtect, a cloud-based service which not only fuses technology from leading vendors (Arbor, Citrix and Juniper, along with several others) but backs it with the experts in our Security Operations Center.